CREATE USER

CREATE USER 语句用于创建带有指定密码的新用户。和 MySQL 一样,在 TiDB 权限系统中,用户是用户名和用户名所连接主机的组合。因此,可创建一个用户 'newuser2'@'192.168.1.1',使其只能通过 IP 地址 192.168.1.1 进行连接。相同的用户名从不同主机登录时可能会拥有不同的权限。

语法图

CreateUserStmt

CREATE USER - 图1

IfNotExists

CREATE USER - 图2

UserSpecList

CREATE USER - 图3

UserSpec

CREATE USER - 图4

AuthOption

CREATE USER - 图5

StringName

CREATE USER - 图6

PasswordOption

CREATE USER - 图7

LockOption

CREATE USER - 图8

AttributeOption

CREATE USER - 图9

ResourceGroupNameOption

CREATE USER - 图10

  1. CreateUserStmt ::=
  2. 'CREATE' 'USER' IfNotExists UserSpecList RequireClauseOpt ConnectionOptions PasswordOption LockOption AttributeOption ResourceGroupNameOption
  3. IfNotExists ::=
  4. ('IF' 'NOT' 'EXISTS')?
  5. UserSpecList ::=
  6. UserSpec ( ',' UserSpec )*
  7. UserSpec ::=
  8. Username AuthOption
  9. AuthOption ::=
  10. ( 'IDENTIFIED' ( 'BY' ( AuthString | 'PASSWORD' HashString ) | 'WITH' StringName ( 'BY' AuthString | 'AS' HashString )? ) )?
  11. StringName ::=
  12. stringLit
  13. | Identifier
  14. PasswordOption ::= ( 'PASSWORD' 'EXPIRE' ( 'DEFAULT' | 'NEVER' | 'INTERVAL' N 'DAY' )? | 'PASSWORD' 'HISTORY' ( 'DEFAULT' | N ) | 'PASSWORD' 'REUSE' 'INTERVAL' ( 'DEFAULT' | N 'DAY' ) | 'FAILED_LOGIN_ATTEMPTS' N | 'PASSWORD_LOCK_TIME' ( N | 'UNBOUNDED' ) )*
  15. LockOption ::= ( 'ACCOUNT' 'LOCK' | 'ACCOUNT' 'UNLOCK' )?
  16. AttributeOption ::= ( 'COMMENT' CommentString | 'ATTRIBUTE' AttributeString )?
  17. ResourceGroupNameOption::= ( 'RESOURCE' 'GROUP' Identifier)?

示例

创建一个密码为 newuserpassword 的用户。

  1. CREATE USER 'newuser' IDENTIFIED BY 'newuserpassword';
  1. Query OK, 1 row affected (0.04 sec)

创建一个只能在 192.168.1.1 登录的用户,密码为 newuserpassword

  1. CREATE USER 'newuser2'@'192.168.1.1' IDENTIFIED BY 'newuserpassword';
  1. Query OK, 1 row affected (0.02 sec)

创建一个要求在登录时使用 TLS 连接的用户。

  1. CREATE USER 'newuser3'@'%' IDENTIFIED BY 'newuserpassword' REQUIRE SSL;
  1. Query OK, 1 row affected (0.02 sec)

创建一个要求在登录时提供指定客户端证书的用户。

  1. CREATE USER 'newuser4'@'%' IDENTIFIED BY 'newuserpassword' REQUIRE ISSUER '/C=US/ST=California/L=San Francisco/O=PingCAP';
  1. Query OK, 1 row affected (0.02 sec)

创建一个初始状态下被锁住的用户。

  1. CREATE USER 'newuser5'@'%' ACCOUNT LOCK;
  1. Query OK, 1 row affected (0.02 sec)

创建一个带注释的用户。

  1. CREATE USER 'newuser6'@'%' COMMENT 'This user is created only for test';
  2. SELECT * FROM information_schema.user_attributes;
  1. +-----------+------+---------------------------------------------------+
  2. | USER | HOST | ATTRIBUTE |
  3. +-----------+------+---------------------------------------------------+
  4. | newuser6 | % | {"comment": "This user is created only for test"} |
  5. +-----------+------+---------------------------------------------------+
  6. 1 rows in set (0.00 sec)

创建一个具有邮箱 (email) 属性的用户。

  1. CREATE USER 'newuser7'@'%' ATTRIBUTE '{"email": "user@pingcap.com"}';
  2. SELECT * FROM information_schema.user_attributes;
  1. +-----------+------+---------------------------------------------------+
  2. | USER | HOST | ATTRIBUTE |
  3. +-----------+------+---------------------------------------------------+
  4. | newuser7 | % | {"email": "user@pingcap.com"} |
  5. +-----------+------+---------------------------------------------------+
  6. 1 rows in set (0.00 sec)

创建一个禁止重复使用最近 5 次密码的用户。

  1. CREATE USER 'newuser8'@'%' PASSWORD HISTORY 5;
  1. Query OK, 1 row affected (0.02 sec)

创建一个密码已经手动过期的用户。

  1. CREATE USER 'newuser9'@'%' PASSWORD EXPIRE;
  1. Query OK, 1 row affected (0.02 sec)

创建一个使用资源组 rg1 的用户:

  1. CREATE USER 'newuser7'@'%' RESOURCE GROUP rg1;
  2. SELECT USER, HOST, USER_ATTRIBUTES FROM MYSQL.USER WHERE USER='newuser7';
  1. +-----------+------+---------------------------------------------------+
  2. | USER | HOST | USER_ATTRIBUTES |
  3. +-----------+------+---------------------------------------------------+
  4. | newuser7 | % | {"resource_group": "rg1"} |
  5. +-----------+------+---------------------------------------------------+
  6. 1 rows in set (0.00 sec)

MySQL 兼容性

  • TiDB 不支持 WITH MAX_QUERIES_PER_HOURWITH MAX_UPDATES_PER_HOURWITH MAX_USER_CONNECTIONSCREATE 选项。
  • TiDB 不支持 DEFAULT ROLE 选项。
  • TiDB 不支持 PASSWORD EXPIREPASSWORD HISTORY 等有关密码限制的 CREATE 选项。
  • 对于 TiDB 尚不支持的 CREATE 选项。这些选项可被解析,但会被忽略。

另请参阅